Enable domain-joined Windows 10 devices to be managed by Microsoft 365 Business

If your organization uses Windows Server Active Directory on-premises, you can set up Microsoft 365 Business to protect your Windows 10 devices, while still maintaining access to on-premises resources that require local authentication. To set this up, you can implement Hybrid Azure AD joined devices. These are devices that are joined both to your on-premises Active Directory and your Azure Active Directory.

The following video details the steps for how to set this up for the most common scenario that is also detailed in the following steps.

1. Prepare for Directory Synchronization

Before you synchronize your users and computers from the local Active Directory Domain, review Prepare for directory synchronization to Office 365. In particular:

  • Ensure that no duplicates exist in your directory for the following attributes: mail, proxyAddresses, and userPrincipalName. These values should be unique and any duplicates should be removed.

  • We recommend that the userPrincipalName (UPN) attribute for each local user account is configured to match the primary email address that corresponds to the licensed Microsoft 365 user. For example *mary.shelley@contoso.com* rather than *mary@contoso.local*

  • If the Active Directory domain ends in a non-routable suffix like .local or .lan, instead of an internet routable suffix such as .com or .org, you will need to adjust the UPN suffix of the local user accounts first as described in Prepare a non-routable domain for directory synchronization.

2. Install and configure Azure AD Connect

To synchronize your users, groups, and contacts from the local Active Directory into Azure Active Directory, install Azure Active Directory Connect and set up directory synchronization. See Set up directory synchronization for Office 365 to learn more.


The steps are exactly the same for Microsoft 365 Business.

As you configure your options for Azure AD Connect, we recommend enabling Password Synchronization and Seamless Single Sign-On, as well as the password writeback feature, which is also supported in Microsoft 365 Business.


There are some additional steps for password writeback beyond the check box in Azure AD Connect. For more information, see How-to: configure password writeback.

3. Configure Hybrid Azure AD Join

Before you enable Windows 10 devices to be Hybrid Azure AD joined, you should make sure that you meet the following prerequisites:

  • You are running the latest version of Azure AD connect.

  • Azure AD connect has synchronized all the computer objects of the devices you want to be hybrid Azure AD joined. If the computer objects belong to specific organizational units (OU), then make sure these OUs are set for synchronization in Azure AD connect as well.

To register existing domain-joined Windows 10 devices as Hybrid Azure AD joined, follow the steps in the Tutorial: Configure hybrid Azure Active Directory join for managed domains. This will hybrid-enable your existing on-premises Active Directory joined Windows 10 computers and make them cloud ready.

4. Enable automatic enrollment for Windows 10

To automatically enroll Windows 10 devices for mobile device management in Intune, see Enroll a Windows 10 device automatically using Group Policy. You can set the Group Policy at a local computer level, or for bulk operations, you can create this group policy setting on your Domain Controller using the Group Policy Management Console and ADMX templates.

5. Configure Seamless Single Sign-On

Seamless SSO will automatically sign users into their Microsoft 365 cloud resources when they use corporate computers. Simply deploy one of the two Group Policy options described in Azure Active Directory Seamless Single Sign-On: Quick start. The Group Policy option does not allow users to change their settings, while the Group Policy Preference option sets the values but also leaves them user-configurable.

6. Set up Windows Hello for Business

Windows Hello for Business replaces passwords with strong two-factor authentication (2FA) for signing into a local computer. One factor is an asymmetric key pair, and the other is a PIN or other local gesture such as fingerprint or facial recognition if your device supports it. We recommend that you replace passwords with 2FA and Windows Hello for Business where possible.

To configure Hybrid Windows Hello for Business, review the Hybrid Key trust Windows Hello for Business Prerequisites. Then follow the instructions in Configure Hybrid Windows Hello for Business key trust settings.